A CIO Blog with a twist; majority of my peer CIOs talk about the challenges they face with vendors, internal customers, Business folks and when things get through the airwaves, the typical response is "Oh I See". Some of you may disagree with my meanderings and that's okay. It's largely experiential and sometimes a lot of questions

Updated every Monday. Views are personal

Monday, February 26, 2007

Security and the CIO

Last week I attended a CIO conference that focused on IT Security. The debate that ensued was whether IT security is strategic or tactical within an organization. This was discussed by an eminent panel comprising of CIOs, Chief of IT security and a consultant.

From the word "go" it was kind of obvious that no one is willing to accept that within their enterprise IT security is tactical. Many instances were cited to drive home the point that it is indeed strategic. When I asked around the audience, it was evident that the desire is to get security to a strategic level but the reality is that in most organizations the level of focus is purely tactical.

The proponent of the strategic intent even went on to give a story about how his business leader consulted him on security; little realizing that the example made it quite evident that there was no alignment between the business leader who was primarily ticking off his checklist on clearances sought after the system was ready to deploy.

A few CIOs were prudent in stating that there is a balance between the strategic intent and the tactical implementation. Without the technology and process underlying the operation, the people will rarely see the value of what it really means.

I happened to talk about IT security in another seminar a couple of weeks back which desired to highlight the practical aspects of IT security and how does one manage it. The discussion was not about whether a tactical view should be taken or strategic with discussion and debate on the pros and cons of deployment, but how does one succeed in deploying controls and technology with the help of people to be effective.

The question still remains in my mind whether in the first place we should elevate the question "IT security is strategic or tactical". To me IT security is a must without which IT will probably collapse with significant business impact. Even the best laid plans do fail (the story of TJX is still not cold) and not for want of trying but someone trying harder to break in.